CISA

CISA says new malware known as Submarine was used to backdoor Barracuda ESG (Email Security Gateway) appliances on federal agencies' networks by exploiting a now-patched zero-day bug.

A suspected pro-China hacker group (UNC4841) deployed the backdoor in a series of data-theft attacks detected in May but active since at least October 2022

The Hacker News
Chinese UNC4841 Group Exploits Zero-Day Flaw in Barracuda Email Security Gateway
Barracuda revealed that the attackers exploited the CVE-2023-2868 remote command injection zero-day to drop previously unknown malware dubbed Saltwater and SeaSpy and a malicious tool called SeaSide to establish reverse shells for easy remote access.
Last month, Barracuda took an unconventional approach and offered replacement devices to all affected customers at no charge.
  • This decision came after issuing a warning that all compromised ESG (Email Security Gateway) appliances needed immediate replacement instead of merely re-imaging them with new firmware.
Mandiant Incident Response Manager John Palmisano told BleepingComputer at the time that this was recommended out of caution, as the company could not ensure the complete removal of malware.
Bleeping Computer
Barracuda ESG zero-day attacks linked to suspected Chinese hackers

Unknown backdoor found on hacked ESG appliances

On Friday, CISA revealed that another new malware strain known as Submarine—and also tracked by Mandiant as DepthCharge—was found on the compromised appliances, a multi-component backdoor used for detection evasion, persistence, and data harvesting.

DepthCharge malware

"SUBMARINE is a novel persistent backdoor that lives in a Structured Query Language (SQL) database on the ESG appliance. SUBMARINE comprises multiple artifacts that, in a multi-step process, enable execution with root privileges, persistence, command and control, and cleanup," CISA said in a malware analysis report published on Friday.
Computer Weekly
Exploitation of Barracuda ESG appliances linked to Chinese spies | Computer Weekly

  • "In addition to SUBMARINE, CISA obtained associated Multipurpose Internet Mail Extensions (MIME) attachment files from the victim. These files contained the contents of the compromised SQL database, which included sensitive information."
In the wake of the attacks, Barracuda provided guidance to affected customers, advising them to thoroughly review their environments to verify that the attackers had not compromised other devices within their networks.
"This additional malware was utilized by the threat actor in response to Barracuda’s remediation actions in an attempt to create persistent access on customer ESG appliances. This malware appeared on a very small number of already compromised ESG appliances," Barracuda added.
"Barracuda’s recommendation is unchanged. Customers should discontinue use of the compromised ESG appliance and contact Barracuda support (support@barracuda.com) to obtain a new ESG virtual or hardware appliance."
The advice aligns with today's warning from CISA, which says that the "malware poses a severe threat for lateral movement."
Those who encounter suspicious activities linked to the Submarine malware and the Barracuda ESG attacks are urged to contact CISA's 24/7 Operations Center at Report@cisa.gov.
Barracuda says its services and products are used by over 200,000 organizations worldwide, including high-profile ones such as Samsung, Delta Airlines, Kraft Heinz, and Mitsubishi.

Related Articles:

FIN8 cybercrime gang backdoors US orgs with new Sardonic malware

RomCom hackers target NATO Summit attendees in phishing attacks

New PowerExchange malware backdoors Microsoft Exchange servers

CISA: Netwrix Auditor RCE bug exploited in Truebot malware attacks

Chinese APT15 hackers resurface with new Graphican malware 


TechTarget
Barracuda: Replace vulnerable ESG devices 'immediately' | TechTarget
Mandiant
Barracuda ESG Zero-Day Vulnerability (CVE-2023-2868) Exploited Globally by Aggressive and Skilled Actor, Suspected Links to China | Mandiant